CVE-2019-17563

Published: Dic 23, 2019 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2019-0787 Aliases: GHSA-9xcj-c8cr-8c3c
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
MEDIUM 5,1
Source: [email protected]
Access Vector: network
Access Complexity: high
Authentication: none
Confidentiality: partial
Integrity: partial
Availability: partial

Description

AI Translation Available

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0243
Percentile
0,8th
Updated

EPSS Score Trend (Last 90 Days)

384

Session Fixation

Incomplete
Abstraction: Compound Structure: Composite
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Tomcat by Apache

Product Information
Vendor Apache
Product Tomcat
Version Range Affected
From 9.0.0 (inclusive)
To 9.0.29 (inclusive)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Mysql Enterprise Monitor by Oracle

Product Information
Vendor Oracle
Product Mysql Enterprise Monitor
Version Range Affected
To 4.0.11.5331 (inclusive)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Tomcat by Apache

Product Information
Vendor Apache
Product Tomcat
Version Range Affected
From 7.0.0 (inclusive)
To 7.0.98 (inclusive)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Agile Engineering Data Management by Oracle

Product Information
Vendor Oracle
Product Agile Engineering Data Management
Version 6.2.1.0
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Instantis Enterprisetrack by Oracle

Product Information
Vendor Oracle
Product Instantis Enterprisetrack
Version Range Affected
From 17.1 (inclusive)
To 17.3 (inclusive)
cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Transportation Management by Oracle

Product Information
Vendor Oracle
Product Transportation Management
Version 6.3.7
cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Tomcat by Apache

Product Information
Vendor Apache
Product Tomcat
Version Range Affected
From 8.5.0 (inclusive)
To 8.5.49 (inclusive)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Leap by Opensuse

Product Information
Vendor Opensuse
Product Leap
Version 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Mysql Enterprise Monitor by Oracle

Product Information
Vendor Oracle
Product Mysql Enterprise Monitor
Version Range Affected
From 8.0.0 (inclusive)
To 8.0.18.1217 (inclusive)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Hyperion Infrastructure Technology by Oracle

Product Information
Vendor Oracle
Product Hyperion Infrastructure Technology
Version 11.1.2.4
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Micros Relate Crm Software by Oracle

Product Information
Vendor Oracle
Product Micros Relate Crm Software
Version 11.4
cpe:2.3:a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Retail Order Broker by Oracle

Product Information
Vendor Oracle
Product Retail Order Broker
Version 15.0
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 16.04
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://lists.opensuse.org/opensuse-security-announce/2020-0…
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f…
Mailing List Vendor Advisory
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690…
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5…
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffaf…
https://lists.apache.org/thread.html/r48c1444845fe15a823e13…
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a545…
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c…
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741…
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b…
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855…
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2…
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83…
https://lists.apache.org/thread.html/reb9a66f176df29b9a832c…
https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f49…
https://lists.debian.org/debian-lts-announce/2020/01/msg000…
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
https://lists.debian.org/debian-lts-announce/2020/05/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://seclists.org/bugtraq/2019/Dec/43
Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/43
https://security.gentoo.org/glsa/202003-43
Third Party Advisory
https://security.gentoo.org/glsa/202003-43
https://security.netapp.com/advisory/ntap-20200107-0001/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20200107-0001/
https://usn.ubuntu.com/4251-1/
Third Party Advisory
https://usn.ubuntu.com/4251-1/
https://www.debian.org/security/2019/dsa-4596
Third Party Advisory
https://www.debian.org/security/2019/dsa-4596
https://www.debian.org/security/2020/dsa-4680
Third Party Advisory
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpuapr2020.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-0…
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f…
Mailing List Vendor Advisory
https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690…
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5…
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffaf…
https://lists.apache.org/thread.html/r48c1444845fe15a823e13…
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a545…
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c…
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741…
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b…
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855…
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2…
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83…
https://lists.apache.org/thread.html/reb9a66f176df29b9a832c…
https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f49…
https://lists.debian.org/debian-lts-announce/2020/01/msg000…
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
https://lists.debian.org/debian-lts-announce/2020/05/msg000…
Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://seclists.org/bugtraq/2019/Dec/43
Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/43
https://security.gentoo.org/glsa/202003-43
Third Party Advisory
https://security.gentoo.org/glsa/202003-43
https://security.netapp.com/advisory/ntap-20200107-0001/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20200107-0001/
https://usn.ubuntu.com/4251-1/
Third Party Advisory
https://usn.ubuntu.com/4251-1/
https://www.debian.org/security/2019/dsa-4596
Third Party Advisory
https://www.debian.org/security/2019/dsa-4596
https://www.debian.org/security/2020/dsa-4680
Third Party Advisory
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpuapr2020.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html